As 2024 comes to a close, it’s essential to reflect on the importance of securing our digital infrastructure. Throughout this year, critical vulnerabilities have been discovered in Windows systems that could put organizations and individuals at risk. These vulnerabilities, if left unaddressed, can lead to remote code execution, privilege escalation, and spoofing attacks.
In this blog post, we will cover actionable steps to mitigate several of the most critical vulnerabilities identified in Windows systems this year, including CVE-2024-49112, CVE-2024-38200, CVE-2024-43533, and more. These steps will help ensure that your systems are secure as we head into the new year.
CVE-2024-49112: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
Step 1: Check Domain Controller’s Internet Access
- Test if the domain controller can access the internet:
- The first step is to verify if your domain controller has direct internet access. This is important because attackers can exploit domain controllers via external networks if they are connected to the internet.
- Run the following PowerShell command to test if the domain controller can reach an external server (e.g., www.google.com).
- The first step is to verify if your domain controller has direct internet access. This is important because attackers can exploit domain controllers via external networks if they are connected to the internet.
- InternetStatus = Test-NetConnection -ComputerName “www.google.com”
- If the output shows that the domain controller has internet access (PingSucceeded = True), proceed to the next step to block this access.
- If there is no internet access, your domain controller is already secure from this particular vector.
- Block outbound internet access (if internet access is detected):
- If the domain controller has internet access, block all outbound internet traffic by running the following PowerShell command:
- New-NetFirewallRule -DisplayName “Block Outbound Internet Access” -Direction Outbound -Action Block -RemoteAddress “0.0.0.0/0”
- This command will block all outbound traffic to external destinations, effectively preventing the domain controller from reaching the internet and reducing exposure to external threats.
Step 2: Block Inbound RPC Connections from Untrusted Networks
- Identify untrusted network ranges:
- To block malicious inbound RPC connections, identify untrusted network ranges or external IPs that should not be allowed to communicate with your domain controller.
- Replace the variable $untrustedNetworkRange with your actual untrusted IP range or subnet (e.g., “10.0.0.0/8”).
- Create a firewall rule to block inbound RPC connections:
- Run the following PowerShell command to block inbound RPC connections from untrusted networks. This rule applies to the commonly used RPC ports 135, 139, and 445:
- New-NetFirewallRule -DisplayName “Block Inbound RPC from Untrusted Networks” -Direction Inbound -Protocol TCP -LocalPort 135,139,445 -RemoteAddress $untrustedNetworkRange -Action Block
- This action prevents attackers from exploiting vulnerabilities in the RPC services via untrusted networks, adding another layer of protection for your domain controller.
Step 3: Verify Mitigation Success
- Confirm internet access is blocked:
- Run the following PowerShell command to verify that outbound internet access has been successfully blocked:
- Get-NetFirewallRule -DisplayName “Block Outbound Internet Access”
- This will show if the firewall rule is active and correctly blocking all outbound traffic.
- Check inbound RPC block:
- Similarly, confirm that the inbound RPC rule is in place by running:
- Get-NetFirewallRule -DisplayName “Block Inbound RPC from Untrusted Networks”
- This ensures that RPC connections from untrusted networks are being properly blocked.
CVE-2024-38200 & CVE-2024-43609: Microsoft Office Spoofing Vulnerability
Step 1: Restrict NTLM Outgoing Traffic Through Network Security Policies
- Open Group Policy Management:
- On your domain controller, open the Group Policy Management Console (GPMC). You can do this by running gpmc.msc from the Run dialog or PowerShell.
- Create a New Group Policy Object (GPO):
- In the GPMC, right-click your domain and select Create a GPO in this domain, and Link it here. Name it something like “Restrict NTLM Outgoing Traffic.”
- Edit the GPO:
- Right-click the new GPO and select Edit.
- Navigate to Computer Configuration > Policies > Administrative Templates > System > Netlogon.
- Locate and enable the policy Restrict NTLM: Outgoing NTLM traffic to remote servers. Set it to Block or Audit to restrict NTLM traffic.
- Apply the GPO:
- After configuring the policy, link it to the appropriate Organizational Units (OUs) in your domain, ensuring that it applies to all domain controllers and systems requiring NTLM traffic restrictions.
- Verify the Policy:
- Run the following command to verify that the GPO has been applied:
gpresult /r
- Ensure that the NTLM restriction policy is correctly listed.
Step 2: Use the Protected Users Security Group to Prevent NTLM Authentication for Sensitive Accounts
- Add Sensitive Accounts to the Protected Users Security Group:
- The Protected Users security group helps mitigate NTLM authentication for sensitive accounts, such as Domain Admins and Enterprise Admins, by enforcing modern authentication protocols like Kerberos.
- To add a user to the Protected Users group, run the following PowerShell command:
- Add-ADGroupMember -Identity “Protected Users” -Members “Domain Admins”
- Replace “Domain Admins” with any other sensitive accounts or groups you want to protect.
- Verify Group Membership:
- To verify that the accounts have been added to the Protected Users group, run the following command:
- Get-ADGroupMember -Identity “Protected Users”
- Monitor Potential Impacts:
- Note that some applications may depend on NTLM for authentication. Monitor the behavior of applications that rely on NTLM and assess whether they are functioning correctly after enforcing the Protected Users group.
Step 3: Block SMB Outbound Traffic Using Firewalls and VPN Settings
- Block SMB Traffic with a Firewall Rule:
- Open PowerShell with administrative privileges.
- Run the following command to block outbound SMB traffic on ports 445 (used by SMB) and 139 (used for legacy SMB traffic):
- New-NetFirewallRule -DisplayName “Block Outbound SMB Traffic” -Direction Outbound -Protocol TCP -LocalPort 445,139 -Action Block
- Apply the Rule to Your VPN Settings:
- If you have a VPN that allows SMB traffic to pass through, configure the VPN firewall settings to block outbound SMB traffic (ports 445 and 139). Check your VPN provider’s documentation for specific instructions on applying firewall rules.
- Verify the Firewall Rule:
- To ensure the SMB rule is active, run the following command:
- Get-NetFirewallRule -DisplayName “Block Outbound SMB Traffic”
- Ensure that the rule is listed and set to Block.
Step 4: Monitor and Verify Mitigation Success
- Monitor NTLM Traffic:
- After applying the NTLM traffic restrictions, monitor your network for any unexpected authentication failures or issues with legacy applications that require NTLM. Use network monitoring tools like Wireshark or Network Monitor to check for NTLM traffic.
- Audit SMB Traffic:
- Use auditing tools to monitor if any SMB traffic is still flowing through your network. This can be done using Windows Event Logs or network security appliances that log and report outbound traffic.
- Check Application Compatibility:
- Monitor the behavior of NTLM-dependent applications to ensure they are still functioning properly. If any applications fail, consider transitioning them to modern authentication methods like Kerberos or reviewing their compatibility with the changes.
CVE-2024-43571: Sudo for Windows Spoofing Vulnerability
Step 1: Disable Sudo Functionality via Sudo Policy CSP
- Open the Group Policy Editor:
- Press Windows + R to open the Run dialog.
- Type gpedit.msc and press Enter to open the Group Policy Editor.
- Navigate to the Sudo Policy:
- In the Group Policy Editor, go to:
Computer Configuration > Administrative Templates > Windows Components > Device Guard - Under Device Guard, find the Sudo Policy CSP.
- In the Group Policy Editor, go to:
- Set the Mode to Disabled:
- In the Sudo Policy CSP section, select EnableSudo.
- Set the policy to Disabled. This will disable all Sudo functionality in Windows.
- Apply the Policy:
- After setting the mode to Disabled, click OK to apply the changes.
- Test the Configuration:
- To verify that the configuration is working, open a command prompt and try running a command with sudo (e.g., sudo netstat -ab). It should print an error message and exit, confirming that Sudo has been disabled.
Step 2: Disable Sudo via the Windows Settings Menu
- Open the Settings Menu:
- Press Windows + I to open Settings.
- Navigate to Update & Security > For Developers.
- Choose a Configuration Option:
- Under “For Developers”, you will see the configuration options for Sudo. You can choose the following:
- Disabled: Completely disables Sudo functionality.
- Force new window: Launches the command line application in a new console window when sudo is used.
- Disable input: Launches the command line application in the current console window but prevents the user from typing any input.
- Normal: Allows the elevated process to receive input from the current console session (this is the default behavior).
- Set Sudo to Disabled:
- Select Disabled to disable Sudo entirely.
- Apply and Test the Settings:
- After applying the changes, open a command prompt and try running a command with sudo (e.g., sudo netstat -ab). The system should display an error message indicating that Sudo is not available.
- Under “For Developers”, you will see the configuration options for Sudo. You can choose the following:
Step 3: Verify and Monitor
- Test Sudo Functionality:
- After disabling Sudo, attempt to run a command using Sudo. If it has been properly disabled, you should see an error message and no command will execute with elevated privileges.
- Monitor for Issues:
- While disabling Sudo prevents exploitation of the vulnerability, it might impact legitimate uses where Sudo is required. Monitor for any issues with administrative privileges and ensure that applications relying on Sudo are either adjusted or appropriately configured.
CVE-2024-43533: Remote Desktop Client Remote Code Execution Vulnerability
Step 1: Check if Remote Desktop Services Are Enabled
- Step 1: Check if Remote Desktop Services Are Enabled
- Open the System Properties:
- Press Windows + R to open the Run dialog.
- Type sysdm.cpl and press Enter to open System Properties.
- Navigate to Remote Desktop Settings:
- In the System Properties window, go to the Remote tab.
- Under the Remote Desktop section, check if Allow remote connections to this computer is selected. If it is, Remote Desktop Services are enabled on your system.
Step 2: Disable Remote Desktop Services
Option 1: Disable Remote Desktop through System Properties
- Open System Properties:
- Follow the steps above to open System Properties.
- Disable Remote Desktop:
- Under the Remote Desktop section, select “Don’t allow remote connections to this computer.”
- Click Apply, then OK to save the changes.
Option 2: Disable Remote Desktop via Group Policy (for Administrators)
- Open Group Policy Editor:
- Press Windows + R, type gpedit.msc, and press Enter to open the Local Group Policy Editor.
- Navigate to Remote Desktop Settings:
- In the Local Group Policy Editor, go to:
Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections
- In the Local Group Policy Editor, go to:
- Disable Remote Desktop Connections:
- Double-click the policy named Allow users to connect remotely by using Remote Desktop Services.
- Set the policy to Disabled
- Click Apply, then OK..
Option 3: Disable Remote Desktop via Windows Services
- Open Services:
- Press Windows + R, type services.msc, and press Enter to open Services.
- Stop and Disable the Remote Desktop Services
- Find Remote Desktop Services in the list of services.
- Right-click on Remote Desktop Services, and select Stop to stop the service.
- To prevent the service from starting automatically in the future, right-click on Remote Desktop Services again, select Properties, and set the Startup type to Disabled.
- Click OK to apply the changes.
Step 3: Verify Remote Desktop is Disabled
- Check System Properties:
- Go back to System Properties and verify that Don’t allow remote connections to this computer is selected.
- Verify Service is Stopped:
- Open Services and ensure that Remote Desktop Services is listed as Stopped and its Startup type is set to Disabled.
- Test Remote Desktop:
- Try connecting to your system via Remote Desktop. If the service is properly disabled, the connection attempt should fail.
Step 4: Monitor and Review
- Monitor for Changes:
- Periodically check that Remote Desktop remains disabled, especially after system updates or changes.
- Review System Security:
- Make sure that any other unused or unneeded services are also disabled, as this will further reduce the attack surface of your system.
CVE-2024-38189: Microsoft Project Remote Code Execution Vulnerability
Step 1: Block Macros from Running in Office Files from the Internet via Group Policy
- Open Group Policy Management:
- On your domain controller, open the Group Policy Management Console (GPMC) by typing gpmc.msc in the Run dialog.
- Create a New Group Policy Object (GPO):
- Right-click your domain in the Group Policy Management Console and select “Create a GPO” in this domain, and Link it here.
- Name the GPO something like “Block Macros from Internet Files.”
- Edit the GPO:
- Right-click the newly created GPO and select Edit.
- In the Group Policy Management Editor, navigate to:
User Configuration > Administrative Templates > Microsoft Office 2016 > Security Settings - Locate the policy named Block macros from running in Office files from the internet.
- Enable the Policy:
- Double-click the policy and select Enabled.
- When this policy is enabled, macros will be blocked even if the “Enable all macros” option is selected in the Trust Center. Users will see a notification that macros are blocked.
- Exceptions:
- Macros will still be allowed if:
- The Office file is saved to a Trusted Location.
- The file was previously trusted by the user.
- Macros are digitally signed, and the corresponding Trusted Publisher certificate is installed.
- Apply the Policy:
- After enabling the policy, link it to the appropriate Organizational Units (OUs) containing your target users or computers.
- Test the Policy:
- After applying the policy, open an Office file from the internet (e.g., an email attachment or a downloaded file). The macro should be blocked, and you should see a notification indicating that macros are blocked.
- The Office file is saved to a Trusted Location.
- Macros will still be allowed if:
Step 2: Enable VBA Macro Notification Settings (Optional)
- Open the Trust Center:
- In any Office application (e.g., Microsoft Word or Excel), go to File > Options.
- Select Trust Center and then click Trust Center Settings.
- Navigate to Macro Settings:
- In the Trust Center, go to Macro Settings.
- Configure Notification Settings:
- You can configure Office to display notifications when macros are blocked, even if you don’t explicitly block macros from the internet.
- Choose “Disable all macros with notifications”. This will notify users when macros are blocked, and it will allow them to enable macros manually if needed.
- Apply the Settings:
- Click OK to save the changes.
Step 3: Block Macros via the Registry (Manual Configuration)
If you prefer to manually configure the registry instead of using Group Policy, you can block macros by modifying the Windows Registry.
- Open the Registry Editor:
- Press Windows + R, type regedit, and press Enter to open the Registry Editor.
- Navigate to the Microsoft Office Security Registry Path:
- Go to the following registry path:
HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\powerpoint\security
- Go to the following registry path:
- Create the Registry Value:
- Right-click on the security key and select New > DWORD (32-bit) Value.
- Name the new value “blockcontentexecutionfrominternet.”
- Set the Value:
- Double-click the new registry entry blockcontentexecutionfrominternet and set the value to 1 to enable blocking of macros from the internet.
- Set the value to 0 if you wish to disable the block (not recommended for mitigation).
- Exit Registry Editor:
- Close the Registry Editor after making the changes.
- Verify the Changes:
- Open an Office file from the internet and verify that the macros are blocked. If they are, you will see a notification informing the user of the block.
Step 4: Monitor and Review
- Monitor for Any Issues:
- After implementing the changes, monitor your network for any issues related to legitimate files requiring macros. Ensure that the trusted locations and trusted publisher exceptions work correctly.
- Review Macro Settings:
- Periodically review and test the macro settings to ensure that any security risks related to macros in Office files are properly mitigated.
CVE-2024-38159 & CVE-2024-38160: Windows Network Virtualization Remote Code Execution Vulnerability
Step 1: Disable Hyper-V and Related Features (VBS) on the Host
Option 1: Disable Hyper-V via Control Panel
- Open Control Panel:
- Press Windows + R to open the Run dialog, type control, and press Enter to open the Control Panel.
- Go to Programs and Features:
- In the Control Panel, select Programs and then click on Turn Windows features on or off.
- Disable Hyper-V Features:
- Scroll down and find Hyper-V and Hyper-V Platform in the list of Windows features.
- Deselect the following:
- Hyper-V Hypervisor
- Hyper-V Management Tools
- Hyper-V Platform
- Click OK to apply the changes.
- Restart Your Computer:
- Restart your system to apply the changes.
- Check if Virtualization-Based Security is Disabled:
- After restarting, press Windows + R, type msinfo32, and press Enter to open System Information.
- Check if Virtualization-Based Security is listed as “not enabled.” If it is, Hyper-V and related features are successfully disabled.
Option 2: Disable VBS (Virtualization-Based Security) via Settings and Registry
- Disable Memory Integrity via Windows Security:
- Open the Windows Security app by searching for “Windows Security” in the Start menu.
- Go to Device Security > Core Isolation.
- Toggle Memory Integrity to Off.
- Restart your computer.
- Disable VBS via the Registry:
- Press Windows + R, type regedit, and press Enter to open the Registry Editor
- Navigate to the following registry path:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard - Find the EnableVirtualizationBasedSecurity entry and set its value to 0 to disable Virtualization-Based Security.
- Close Regedit and reboot your computer to apply the changes.
- Go to Device Security > Core Isolation.
- Open the Windows Security app by searching for “Windows Security” in the Start menu.
Step 2: Enable Nested Virtualization on VMware
- Ensure VMware is Installed:
- Make sure your VM is running on VMware with nested virtualization enabled. This will allow you to run virtualized environments inside your virtual machine.
- Enable Nested Virtualization in VMware:
- Open VMware and select the virtual machine you want to configure.
- Right-click on the VM and select Settings.
- In the VM Options tab, under CPU, enable Virtualize Intel VT-x/EPT or AMD-V/RVI. This option enables nested virtualization within the VM.
- Verify Nested Virtualization:
- Ensure the VM is running properly with nested virtualization enabled by checking the VMware logs or running a test that requires virtualization within the VM.
Step 3: Verify and Monitor the Configuration
- Check Hyper-V Status:
- After completing the above steps, ensure that Hyper-V is fully disabled and that VBS is not enabled by following the verification steps provided in Step 1.
- Verify that virtualization is properly disabled on the host machine, and the VM is running on VMware with nested virtualization enabled.
- Monitor Performance:
- Monitor your system for any performance changes after disabling VBS. Some users have reported a performance boost of up to 15% when VBS is disabled, but keep in mind that VBS offers additional security protection. You should only disable it if you’re cautious about security risks, such as browsing the internet.
- Test Virtual Machine Functionality:
- Ensure that the VM on VMware is functioning as expected with the necessary configurations for nested virtualization.
CVE-2024-38074 & CVE-2024-38077: Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
Step 1: Deactivate the Remote Desktop Licensing Service
- Open Server Manager:
- On your Windows Server, press Windows + R, type servermanager, and press Enter to open Server Manager.
- Navigate to Remote Desktop Licensing Manager:
- In Server Manager, click on Tools in the top-right corner.
- From the dropdown, select Remote Desktop Services, then Remote Desktop Licensing Manager.
- Right-click the License Server:
- In the Remote Desktop Licensing Manager, right-click the license server you wish to deactivate.
- From the context menu, select Advanced, then click Deactivate Server.
- Follow the Deactivation Wizard:
- The Deactivate Server Wizard will appear. Confirm the information about the license server.
- Click Next and then Finish to deactivate the server.
- Verify the Deactivation:
- To verify that the deactivation was successful, use the RD Licensing Diagnostic tool:
- Go to Tools in Server Manager, then select RD Licensing Diagnostic.
- This will provide you with the status of the Remote Desktop Licensing Service and confirm that it has been properly deactivated.
- To verify that the deactivation was successful, use the RD Licensing Diagnostic tool:
Step 2: Uninstall Remote Desktop Licensing Service (if not needed)
- Open Apps and Features:
- Press Windows + I to open Settings.
- Navigate to Apps and then click on Apps & Features.
- Find Remote Desktop Services:
- Scroll through the list of installed applications to find Remote Desktop Services or Remote Desktop Licensing.
- Uninstall the Service:
- Click on Remote Desktop Services or Remote Desktop Licensing, then select Uninstall.
- Follow the prompts to complete the uninstallation process.
Step 3: Verify the Remote Desktop Licensing Service is Disabled
- Check System Services:
- Press Windows + R, type services.msc, and press Enter to open the Services window.
- Look for Remote Desktop Licensing in the list of services.
- Ensure that the service is either stopped or uninstalled.
- Test Remote Desktop Functionality:
- If you need Remote Desktop for administrative purposes, ensure that other RDS components (such as Remote Desktop Session Host) are still operational while the Licensing Service is disabled.
- Confirm that no Remote Desktop licensing-related errors are occurring when attempting to use the RDS features.
Step 4: Consider Additional Security Measures
- Disable RDP Access if Not Needed:
- If Remote Desktop is not required, disable RDP on the machine to prevent remote access.
- Go to Control Panel > System and Security > System > Remote settings.
- Under Remote Desktop, select Don’t allow remote connections to this computer.
- Apply Windows Updates:
- Ensure your system is fully patched with the latest Windows updates to mitigate any known vulnerabilities in RDS or the Remote Desktop Licensing Service.
- Go to Settings > Update & Security > Windows Update, and check for any available updates.
Step 5: Monitor the System for Unwanted Remote Access
- Use Network Monitoring Tools:
- Employ network monitoring tools such as Wireshark or NetFlow to monitor any unusual remote access traffic.
- Ensure that no unauthorized access is occurring, even if Remote Desktop has been disabled.
- Run Malware Scans:
- Use trusted antivirus and anti-malware software to scan for any potential threats that might enable remote access despite RDP being disabled.
- Verify Firewall Settings
- Ensure that the firewall is properly configured to block unnecessary ports. Particularly, verify that Port 3389 (used for RDP) is blocked if RDP is not in use.
CVE-2024-38061: DCOM Remote Cross-Session Activation Elevation of Privilege Vulnerability
Step 1: Modify the Registry to Set LegacyAuthenticationLevel
- Open the Registry Editor:
- Press Windows + R, type regedit, and press Enter to open the Registry Editor.
- Navigate to the Registry Key:
- In the Registry Editor, navigate to the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
- In the Registry Editor, navigate to the following path:
- Create or Modify the LegacyAuthenticationLevel Entry:
- Right-click on the Ole folder in the left pane.
- Select New > DWORD (32-bit) Value.
- Name the new entry LegacyAuthenticationLevel.
- Double-click on the LegacyAuthenticationLevel entry to modify it.
- Set the Value data to 5 to set the authentication level to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.
- This setting ensures packet integrity is enforced for DCOM communications, adding an extra layer of security.
- Click OK to save the changes.
Value | Constant |
1 | RPC_C_AUTHN_LEVEL_NONE |
2 | RPC_C_AUTHN_LEVEL_CONNECT |
3 | RPC_C_AUTHN_LEVEL_CALL |
4 | RPC_C_AUTHN_LEVEL_PKT |
5 | RPC_C_AUTHN_LEVEL_PKT_INTEGRITY (Recommended for mitigation) |
6 | RPC_C_AUTHN_LEVEL_PKT_PRIVACY |
Step 2: Restart the System
- After modifying the registry, restart your system to ensure that the new settings take effect.
Step 3: Verify the Change
- Check the Registry:
- Reopen the Registry Editor and navigate to the same path (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole).
- Verify that the LegacyAuthenticationLevel value is set to 5.
- Check the DCOM Behavior:
- Use diagnostic tools or simply monitor the system to ensure that DCOM operations are not encountering errors due to the stricter security settings. The goal is to ensure that RPC_C_AUTHN_LEVEL_PKT_INTEGRITY is properly applied.
Step 4: Monitor the System for Any Issues
- Test DCOM functionality: After applying the registry change, ensure that your system’s DCOM functionality operates correctly. Since this adjustment modifies the default authentication level for DCOM, there may be a potential impact on backward compatibility for certain applications relying on lower levels of authentication.
- Monitor system logs: Keep an eye on the Event Viewer and look for any warnings or errors related to DCOM or RPC communications to ensure that the change hasn’t caused any unintended issues.
CVE-2024-26232 & CVE-2024-30080: Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
Step 1: Check if MSMQ HTTP-Support is Enabled
- Open Windows Features:
- Press Windows + R, type optionalfeatures.exe, and press Enter to open the Windows Features dialog.
- Locate MSMQ:
- Scroll through the list and find Microsoft Message Queuing (MSMQ).
- Disable MSMQ HTTP-Support:
- If MSMQ HTTP Support is checked, uncheck it to disable the feature.
- Click OK to apply the changes.
- Alternatively, you can also disable MSMQ HTTP-Support via PowerShell:
Disable-WindowsOptionalFeature -Online -FeatureName MSMQ-HTTP
- Restart the System:
- Restart the system for the changes to take effect.
Step 2: Check if MSMQ Service is Running
- Open Services:
- Press Windows + R, type services.msc, and press Enter to open the Services window.
- Check MSMQ Service:
- Look for the Message Queuing (MSMQ) service in the list of services.
- If the service is running and you don’t require MSMQ, right-click on it and select Stop.
- To disable the service from starting automatically, right-click on the service, select Properties, and set the Startup type to Disabled.
- You can also disable the service via PowerShell:
Set-Service -Name MSMQ -StartupType Disabled
- Stop-Service -Name MSMQ
Step 3: Check if TCP Port 1801 is Open
- Open Command Prompt:
- Press Windows + R, type cmd, and press Enter to open the Command Prompt.
- Check if TCP Port 1801 is Listening:
- Run the following command to check if TCP port 1801 is open and if the MSMQ service is listening on that port: netstat -an | find “1801”
- If port 1801 is open and you don’t require MSMQ, you should block this port through the firewall.
- Block Port 1801 Using Windows Firewall:
- To block TCP port 1801, open Windows Defender Firewall by typing firewall.cpl in the Run dialog.
- In the left panel, click on Advanced settings to open Windows Firewall with Advanced Security.
- Click Inbound Rules > New Rule.
- Select Port, choose TCP, and enter 1801 as the port to block.
- Choose Block the connection and follow the prompts to complete the rule creation.
- Verify Firewall Rule:
- Ensure the firewall rule is applied and that the port is now blocked. You can use netstat again to verify that port 1801 is no longer open.
Step 4: Monitor and Test the Configuration
- Verify MSMQ Configuration:
- After disabling MSMQ HTTP-Support, stopping the MSMQ service, and blocking port 1801, verify the settings by attempting to connect to the system via port 1801 and ensuring that the connection is blocked.
- Use network scanning tools (like Nmap) to ensure the port is closed and not exposed.
- Test Application Dependencies:
- If your environment relies on MSMQ for application communication, test whether applications are still functional after disabling the service and blocking the port. If MSMQ is necessary for certain applications, consider limiting access to trusted networks and properly securing the service.
CVE-2021-43890 (Windows AppX Installer Spoofing Vulnerability
Step 1: Install the Latest Version of App Installer (1.21.3421.0 or Greater)
- Check Your Current Version:
- To check the current version of the App Installer on your system, open PowerShell and run the following command:
- (Get-AppxPackage Microsoft.DesktopAppInstaller).Version
- This will return the current version of App Installer installed on your system.
- Update App Installer Using the Microsoft Store:
- If the App Installer is not up-to-date, open the Microsoft Store app on your PC.
- Search for App Installer and check for available updates.
- If an update is available, click Update to install the latest version.
- Update App Installer Using Winget (If Microsoft Store is Unavailable):
- If your PC doesn’t have access to the Microsoft Store, you can update the App Installer using Winget.
- Open Command Prompt or PowerShell and run the following command:
- winget upgrade Microsoft.AppInstaller
- This command will update the App Installer to the latest version.
- Verify the Update:
- After updating, re-run the PowerShell command from Step 1 to verify that the App Installer version is now 1.21.3421.0 or greater.
Step 2: Monitor and Verify the Mitigation
- Verify App Installer Update:
- After updating to the latest version or disabling the protocol, verify that the ms-appinstaller protocol is no longer exposed (if you disabled it via Group Policy) and that App Installer is running the latest version.
- Test Installation of MSIX Files:
- Test the installation of MSIX or MSIXBundle files to ensure that the App Installer is functioning properly with the new configuration.
- Check for Any Errors or Warnings:
- Open Event Viewer and monitor for any errors or warnings related to App Installer or MSIX installations to ensure the changes have not impacted functionality.
Conclusion
As 2024 comes to an end, addressing these critical Windows vulnerabilities is a priority for IT professionals and organizations alike. Implementing the recommended mitigation strategies will significantly enhance your security posture and reduce the risk of exploitation. Whether it’s through updating vulnerable software, disabling unnecessary services, or applying group policy changes, proactive actions today will help protect your systems from potential attacks. As always, it is vital to continue monitoring and updating security measures to stay ahead of emerging threats and ensure a secure digital environment in 2025 and beyond.